Added missing license headers

Added the initial support for the database protection with the setuid
mechanism. In the beginning the program creates(or opens) the database
as a special user, and then switches to the real uid and functions
normally.

src/fuse_operations.c

@@ -116,12 +116,11 @@ static int xmp_access(const char *path, int mask) {
     struct fuse_context *fc = fuse_get_context();
 
     pi.PID = fc->pid;
-    pi.UID = fc->uid;
     pi.name = get_process_name_by_pid(pi.PID);
 
     // fprintf(stderr, "%s, %d\n", path, ask_access(path, pi));
 
-    if (!interactive_access(real_filename(path), pi)) {
+    if (!interactive_access(real_filename(path), pi, 0)) {
       free(pi.name);
       return -EACCES;
     }
@@ -281,12 +280,11 @@ static int xmp_unlink(const char *path) {
 
   // ask the user for the permission for deleting the file
   pi.PID = fc->pid;
-  pi.UID = fc->uid;
   pi.name = get_process_name_by_pid(pi.PID);
 
   // fprintf(stderr, "%s, %d\n", path, ask_access(path, pi));
 
-  if (!interactive_access(real_filename(path), pi)) {
+  if (!interactive_access(real_filename(path), pi, 0)) {
     free(pi.name);
     return -EACCES;
   }
@@ -330,12 +328,11 @@ static int xmp_rename(const char *from, const char *to, unsigned int flags) {
   struct fuse_context *fc = fuse_get_context();
 
   pi.PID = fc->pid;
-  pi.UID = fc->uid;
   pi.name = get_process_name_by_pid(pi.PID);
 
   // fprintf(stderr, "%s, %d\n", path, ask_access(path, pi));
 
-  if (!interactive_access(real_filename(from), pi)) {
+  if (!interactive_access(real_filename(from), pi, 0)) {
     free(pi.name);
     return -EACCES;
   }
@@ -343,7 +340,7 @@ static int xmp_rename(const char *from, const char *to, unsigned int flags) {
   // the "to" file may exist and the process needs to get persmission to modify
   // it
   if (source_access(to, F_OK) == 0 &&
-      !interactive_access(real_filename(to), pi)) {
+      !interactive_access(real_filename(to), pi, 0)) {
     free(pi.name);
     return -EACCES;
   }
@@ -363,11 +360,10 @@ static int xmp_link(const char *from, const char *to) {
   struct fuse_context *fc = fuse_get_context();
 
   pi.PID = fc->pid;
-  pi.UID = fc->uid;
   pi.name = get_process_name_by_pid(pi.PID);
 
   // fprintf(stderr, "%s, %d\n", path, ask_access(path, pi));
-  if (!interactive_access(real_filename(from), pi)) {
+  if (!interactive_access(real_filename(from), pi, 0)) {
     free(pi.name);
     return -EACCES;
   }
@@ -389,11 +385,10 @@ static int xmp_chmod(const char *path, mode_t mode, struct fuse_file_info *fi) {
   struct fuse_context *fc = fuse_get_context();
 
   pi.PID = fc->pid;
-  pi.UID = fc->uid;
   pi.name = get_process_name_by_pid(pi.PID);
 
   // fprintf(stderr, "%s, %d\n", path, ask_access(path, pi));
-  if (!interactive_access(real_filename(path), pi)) {
+  if (!interactive_access(real_filename(path), pi, 0)) {
     free(pi.name);
     return -EACCES;
   }
@@ -421,11 +416,10 @@ static int xmp_chown(const char *path, uid_t uid, gid_t gid,
   struct fuse_context *fc = fuse_get_context();
 
   pi.PID = fc->pid;
-  pi.UID = fc->uid;
   pi.name = get_process_name_by_pid(pi.PID);
 
   // fprintf(stderr, "%s, %d\n", path, ask_access(path, pi));
-  if (!interactive_access(real_filename(path), pi)) {
+  if (!interactive_access(real_filename(path), pi, 0)) {
     free(pi.name);
     return -EACCES;
   }
@@ -476,17 +470,16 @@ static int xmp_utimens(const char *path, const struct timespec ts[2],
 
 static int xmp_create(const char *path, mode_t mode,
                       struct fuse_file_info *fi) {
-  int fd;
+  int fd = -1;
   struct process_info pi;
   struct fuse_context *fc = fuse_get_context();
 
   pi.PID = fc->pid;
-  pi.UID = fc->uid;
   pi.name = get_process_name_by_pid(pi.PID);
 
   // fprintf(stderr, "%s, %d\n", path, ask_access(path, pi));
 
-  if (!interactive_access(real_filename(path), pi)) {
+  if (!interactive_access(real_filename(path), pi, GRANT_PERM)) {
     free(pi.name);
     return -EACCES;
   }
@@ -507,11 +500,10 @@ static int xmp_open(const char *path, struct fuse_file_info *fi) {
   struct fuse_context *fc = fuse_get_context();
 
   pi.PID = fc->pid;
-  pi.UID = fc->uid;
   pi.name = get_process_name_by_pid(pi.PID);
 
   // fprintf(stderr, "%s, %d\n", path, ask_access(path, pi));
-  if (!interactive_access(real_filename(path), pi)) {
+  if (!interactive_access(real_filename(path), pi, 0)) {
     free(pi.name);
     return -EACCES;
   }

src/main.c

@@ -10,6 +10,8 @@
   See the file LICENSE.
 */
 
+#include <sys/types.h>
+#include <unistd.h>
 #define FUSE_USE_VERSION 31
 
 #define _GNU_SOURCE
@@ -28,17 +30,17 @@ const char *mountpoint = NULL;
 int main(int argc, char *argv[]) {
   umask(0);
 
-  mountpoint = realpath(argv[argc - 1], NULL);
+  int ret = init_ui_socket();
-
-  int ret = source_init(mountpoint);
   if (ret != 0) {
-    perror("source_init");
+    fprintf(stderr, "Could not initalize ui-socket.\n");
     exit(EXIT_FAILURE);
   }
 
-  ret = init_ui_socket();
+  mountpoint = realpath(argv[argc - 1], NULL);
+
+  ret = source_init(mountpoint);
   if (ret != 0) {
-    fprintf(stderr, "Could not initalize ui-socket.\n");
+    perror("source_init");
     exit(EXIT_FAILURE);
   }
 

src/perm_permissions_table.c

@@ -1,10 +1,24 @@
+/*
+  ICFS: Interactively Controlled File System
+  Copyright (C) 2024-2025  Fedir Kovalov
+
+  This program can be distributed under the terms of the GNU GPLv2.
+  See the file LICENSE.
+*/
+
 #include "perm_permissions_table.h"
 #include "process_info.h"
+#include <fcntl.h>
+#include <pthread.h>
 #include <sqlite3.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/fsuid.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
 
 sqlite3 *perm_database = NULL;
 const char *const table_name = "permissions";
@@ -12,6 +26,38 @@ const char *const table_name = "permissions";
 const int column_count = 2;
 const char *const schema[] = {"executable", "filename"};
 const char *const types[] = {"TEXT", "TEXT"};
+uid_t ruid, euid, current_pid;
+pthread_mutex_t uid_switch = PTHREAD_MUTEX_INITIALIZER;
+
+void set_db_fsuid() {
+  pthread_mutex_lock(&uid_switch);
+  if (current_pid == ruid)
+    return;
+
+  int status = -1;
+
+  status = setfsuid(ruid);
+  if (status < 0) {
+    fprintf(stderr, "Couldn't set uid to %d.\n", ruid);
+    exit(status);
+  }
+  pthread_mutex_unlock(&uid_switch);
+}
+
+void set_real_fsuid() {
+  pthread_mutex_lock(&uid_switch);
+  if (current_pid == ruid)
+    return;
+
+  int status = -1;
+
+  status = setfsuid(ruid);
+  if (status < 0) {
+    fprintf(stderr, "Couldn't set uid to %d.\n", euid);
+    exit(status);
+  }
+  pthread_mutex_unlock(&uid_switch);
+}
 
 static int check_table_col_schema(void *notused, int argc, char **argv,
                                   char **colname) {
@@ -21,15 +67,16 @@ static int check_table_col_schema(void *notused, int argc, char **argv,
     fprintf(stderr, "Unexpected amount of arguments given to the callback.\n");
     return 1;
   }
-  int i = atoi(argv[0]);
+  int column_num = atoi(argv[0]);
-  if (i >= column_count) {
+  if (column_num >= column_count) {
     fprintf(stderr, "Table contains more columns than expected.\n");
     return 1;
   }
-  if (strcmp(schema[i], argv[1]) == 0 && strcmp(types[i], argv[2]) == 0) {
+  if (strcmp(schema[column_num], argv[1]) == 0 &&
+      strcmp(types[column_num], argv[2]) == 0) {
     return 0;
   }
-  fprintf(stderr, "Column %d does not conform to the schema.\n", i);
+  fprintf(stderr, "Column %d does not conform to the schema.\n", column_num);
   return 1;
 }
 
@@ -101,14 +148,28 @@ int ensure_database_schema() {
  * @return: 0 on success, -1 on failure
  */
 int init_perm_permissions_table(const char *db_filename) {
+  // we don't want the group and others to access the db
+  umask(0077);
+  ruid = getuid();
+  euid = geteuid();
+  fprintf(stderr, "Running with uid: %d, gid: %d\n", euid, getegid());
+
   if (sqlite3_open(db_filename, &perm_database)) {
     perror("Can't open permanent permissions database:");
     return -1;
   }
+  umask(0);
   if (ensure_database_schema()) {
     fprintf(stderr, "Database schema is not correct.\n");
     return -1;
   }
+
+  int status = seteuid(ruid);
+  if (status < 0) {
+    fprintf(stderr, "Couldn't set euid to ruid during database setup.\n");
+    exit(status);
+  }
+
   return 0;
 }
 

src/perm_permissions_table.h

@@ -1,3 +1,10 @@
+/*
+  ICFS: Interactively Controlled File System
+  Copyright (C) 2024-2025  Fedir Kovalov
+
+  This program can be distributed under the terms of the GNU GPLv2.
+  See the file LICENSE.
+*/
 
 #ifndef PERM_PERMISSION_TABLE_H
 #define PERM_PERMISSION_TABLE_H

src/process_info.h

@@ -1,3 +1,10 @@
+/*
+  ICFS: Interactively Controlled File System
+  Copyright (C) 2024-2025  Fedir Kovalov
+
+  This program can be distributed under the terms of the GNU GPLv2.
+  See the file LICENSE.
+*/
 
 #ifndef PROCESS_INFO_H
 #define PROCESS_INFO_H
@@ -6,7 +13,6 @@
 struct process_info {
   pid_t PID;
   const char *name;
-  uid_t UID;
 };
 
 #endif // PROCESS_INFO_H

src/sourcefs.c

@@ -33,6 +33,8 @@ int source_init(const char *root_path) {
   int root_fd = open(root_path, O_PATH);
 
   if (root_fd == -1) {
+    fprintf(stderr, "Could not initialize source file system at %s", root_path);
+    perror("");
     return -1;
   }
 

src/ui-socket.c

@@ -10,7 +10,6 @@
 #include <sys/types.h>
 #include <time.h>
 #define _GNU_SOURCE
-#include "cc.h"
 #include "perm_permissions_table.h"
 #include "temp_permissions_table.h"
 #include "ui-socket.h"
@@ -61,9 +60,9 @@ void destroy_ui_socket() {
  * GUI
  *
  * @param filename: The file that the process is trying to access
- * @pram pi: The process information
+ * @param pi: The process information
- * @return: 0 if access is denied, 1 if access is allowed, 2 if access is allwed
+ * @return: 0 if access is denied, 1 if access is allowed, 2 if access is
- * for the runtime of the process
+ * allowed for the runtime of the process
  */
 int ask_access(const char *filename, struct process_info pi) {
   FILE *fp;
@@ -115,15 +114,28 @@ int ask_access(const char *filename, struct process_info pi) {
  *
  * @param filename: The file that the process is trying to access
  * @pram pi: The process information
+ * @param opts: options (GRANT_TEMP, GRANT_PERM)
  * @return: 0 if access is denied, 1 if access is allowed
  */
-int interactive_access(const char *filename, struct process_info pi) {
+int interactive_access(const char *filename, struct process_info pi, int opts) {
 
   if (check_temp_access(filename, pi) || check_perm_access(filename, pi)) {
     // access was already granted before
     return 1;
   }
 
+  // if noth GRANT_TEMP and GRANT_PERM are selected, then only permanent
+  // permissions are granted
+
+  if (opts & GRANT_PERM) {
+    give_perm_access(filename, pi);
+    return 1;
+  }
+  if (opts & GRANT_TEMP) {
+    give_temp_access(filename, pi);
+    return 1;
+  }
+
   int user_response = ask_access(filename, pi);
   if (user_response == 1) {
     // user said "yes"

src/ui-socket.h

@@ -36,8 +36,13 @@ void destroy_ui_socket(void);
  *
  * @param filename: The file that the process is trying to access
  * @pram pi: The process information
+ * @param opts: options (GRANT_TEMP, GRANT_PERM)
  * @return: 0 if access is denied, 1 if access is allowed
  */
-int interactive_access(const char *filename, struct process_info pi);
+int interactive_access(const char *filename, struct process_info pi, int opts);
+
+#define GRANT_TEMP 1
+#define GRANT_PERM 2
+// #define TABLE_ONLY 4 // NOTE: Add this in the future?
 
 #endif // !UI_SOCKET_H

test/test.bash

@@ -16,31 +16,48 @@ PATH="$(realpath ./mock/):$PATH"
 # mount the filesystem
 
 echo "Run $(date -u +%Y-%m-%dT%H:%M:%S) "
-valgrind -s ../build/icfs -o default_permissions ./protected &
+if [[ $1 == "--setuid" ]]; then
+  echo "Setting the setuid bit..."
+  echo "root privilieges are required to create a special user and set correct ownership of the executable."
+  id -u icfs &>/dev/null || sudo useradd --system --user-group icfs
+  sudo chown icfs: ../build/icfs && sudo chmod 4777 ../build/icfs
+  chmod g+w . # needed for icfs to be able to create the database
+  echo "Valgrind will not be used due to setuid compatibility issues."
+  ../build/icfs -o default_permissions ./protected &
+  sleep 1
+else
+  echo "Database protection will not be tested due to the lack of setuid capabilites."
+  echo "To test it, run this script with '--setuid'."
+  valgrind -s ../build/icfs -o default_permissions ./protected &
+  sleep 5
+fi
 
-sleep 5
+#valgrind -s ../build/icfs -o default_permissions ./protected &
+
+# WARN: please don't use `>` or `>>` operators. They force **this script** to open the file, **not the program you are trying to run**. This is probably not what you mean when you want to test a specific program's access.
+# WARN: avoid using touch, since it generates errors because setting times is not implemented in icfs **yet**.
 
 # create files
 
 zenity --set-fake-response no
-touch ./protected/should-not-exist 2>/dev/null &&
+truncate -s 0 ./protected/should-exist-anyway 2>/dev/null &&
-  echo "[ICFS-TEST]: touch can create protected/should-not-exist despite access being denied!" ||
+  echo "[ICFS-TEST]: OK" ||
-  echo "[ICFS-TEST]: OK" # EACCESS
+  echo "[ICFS-TEST]: truncate cannot create protected/should-exist despite access being permitted!" # OK
 
 zenity --set-fake-response yes_tmp
-touch ./protected/should-exist 2>/dev/null &&
+truncate -s 0 ./protected/should-exist 2>/dev/null &&
   echo "[ICFS-TEST]: OK" ||
-  echo "[ICFS-TEST]: touch cannot create protected/should-exist despite access being permitted!" # OK
+  echo "[ICFS-TEST]: truncate cannot create protected/should-exist despite access being permitted!" # OK
 
 # write to files
 
 zenity --set-fake-response no
-echo "Linux is a cancer that attaches itself in an intellectual property sense to everything it touches." >./protected/truth 2>/dev/null &&
+sed -e 'a\'"Linux is a cancer that attaches itself in an intellectual property sense to everything it touches." "./protected/truth" 2>/dev/null &&
   echo "[ICFS-TEST]: echo can write to protected/lie despite access being denied!" ||
   echo "[ICFS-TEST]: OK" # EACCESS
 
 zenity --set-fake-response yes_tmp
-echo "Sharing knowledge is the most fundamental act of friendship. Because it is a way you can give something without loosing something." >./protected/truth 2>/dev/null &&
+sed -e 'a\'"Sharing knowledge is the most fundamental act of friendship. Because it is a way you can give something without loosing something." "./protected/truth" 2>/dev/null &&
   echo "[ICFS-TEST]: OK" ||
   echo "[ICFS-TEST]: echo cannot write to protected/truth despite access being permitted!" # OK
 
@@ -90,17 +107,24 @@ chmod 000 ./protected/perm000 2>/dev/null &&
   echo "[ICFS-TEST]: OK" ||
   echo "[ICFS-TEST]: chmod cannot change permissions of protected/perm000 despite access being permitted!" # OK
 
-# create files with permanent permissions
+# test permanent permissions
 
 zenity --set-fake-response yes
-touch ./protected/friendly 2>/dev/null &&
+cat ./protected/motto >/dev/null 2>/dev/null &&
   echo "[ICFS-TEST]: OK" ||
-  echo "[ICFS-TEST]: touch cannot create protected/friendly despite access being permitted!" # OK
+  echo "[ICFS-TEST]: echo cannot read protected/motto despite access being permitted!" # OK
 
 zenity --set-fake-response no # this should be ignored
-touch ./protected/friendly-again 2>/dev/null &&
+cat ./protected/motto >/dev/null 2>/dev/null &&
   echo "[ICFS-TEST]: OK" ||
-  echo "[ICFS-TEST]: touch cannot create protected/friendly-again despite access being permitted!" # OK
+  echo "[ICFS-TEST]: echo cannot read protected/motto despite access being permitted!" # OK
+
+# test database access
+if [[ -r "./.pt.db" || -w "./.pt.db" ]]; then
+  echo "[ICFS-TEST]: permanent permissions is accessible!"
+else
+  echo "[ICFS-TEST]: OK"
+fi
 
 # unmount